Cyber Security and Technology Crime Bureau, initiated a new wave of cyber hygiene operation to improve online security, maintain system health, and ultimately

Cyber Hygiene

COVID-19 has been rampant around the world, and has significantly changed enterprises’ way of operation and people’s way of living. While organizations and businesses shift into remote systems and networks to support their staff working from home, criminals are also exploiting exposed security vulnerabilities to steal data and generate profit by using phishing websites, crypto jacking, launching DDoS attacks through infected machines (known as botnet), and abusing misconfigured devices.

As such, Cyber Security and Technology Crime Bureau, Hong Kong Police Force, initiated a new wave of cyber hygiene operation to improve online security, maintain system health, and ultimately, prevent cybercriminals from abusing organizations’ and businesses’ system.

S/N Types of Misconfiguration Amplification Ratio Involved Port Methods for Blocking Each Type of Amplified Reflection Attack
1
Accessible Apple Remote Desktop
35.5
3283
Turn off the Remote Management in Setting
2
Accessible CoAP
50
5683
Device whitelisting
3
Accessible Ubiquiti Service Discovery
35
10001
Block source port
4
Open Chargen
358.8
19
Block source port
5
DNS Open Resolvers
54
53
1) Disable recursion / Limit recursion to trusted clients
2) Response Rate Limiting (RRL)
6
Open Netbios
3.8
137
Block source port
7
NTP Monitor
556.9
123
1) Upgrade to Version 4.2.7 or above; or
2) Block external request (including "monlist" function)
8
NTP Version
40
123
Block external request
9
Open LDAP Services
55
389
Block source port
10
Open mDNS Servers
10
5353
Block source port
11
Open MS-SQL Server Resolution Service
25
1434
Block source port
12
Open Portmapper
28
111
Block source port
13
Open TFTP Servers
60
69
Block source port
14
Open QOTD
140.3
17
Block source port
15
Open SNMP
6.3
161
Block source port
16
Open SSDP
30.8
1900
Block source port

Description: The attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.

When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.

Security Advice:

In macOS — > Setting — >Sharing — > Remote Management — > Turn off the Management

Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.

Also found that many of these CoAP services can leak information (including authorization credentials to services, such as wifi networks). For certain devices, in some cases, it may even be possible to issue remote instructions using CoAP.

Security Advice:

At the very least CoAP instances should therefore be either firewalled to only communicate with necessary devices.

Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.

Description: These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. In addition, they expose a large amount of information about the system running the service

Security Advice:

Blocking incoming connections to relate port on firewall. (Ubiquiti Service Discovery commonly used port 10001)

Description: CHARGEN is a debugging and measurement tool and a character generator service. It can make use of UDP port for traffic. Attack via CHARGEN was first addressed in 1996

Security Advice:

A) Setting for Chargen service enabled Server (Linux)

Method 1:

Blocking incoming connections to relate port on firewall (Chargen services commonly used Port 19)

Method 2:

In Linux Terminal, execute the following commands for disable the chargen service:
cd /etc/xinetd.d/
nano chargen
In nano, found service chargen and type “disable = yes”

B) Setting for Chargen service enabled Server (Windows)

Modify the Registry and set the values of the following two entries to 0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

C) Best Practice for Managing the Chargen service enabled Servers

Use a firewall to restrict access to the Chargen service.

Description: Identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.

Security Advice:

A) Setting to disable recursion or limit recursion to trusted clients in the DNS server

Bind 9

Add the following to the global options:
options {
                    allow-query-cache { none; };
                    recursion no; };

Windows

In the Microsoft DNS console tool:

B) Limiting Recursion to Authorized Clients

Bind 9

In the global options, include the following:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
        allow-query { any; };
        allow-recursion { corpnets; };
};

Windows

It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server. To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.

C) Setting Response Rate Limiting (RRL)

Bind 9

On BIND9 implementation running the RRL patches, include the following lines to the options block of the authoritative views:
rate-limit {
                  responses-per-second 5;
                  window 5;
};

Windows

Set RRL parameters on a DNS server using PowerShell:
Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8

D) Best Practice for Managing the Open DNS Servers

Reduce the total number of open DNS resolvers

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

Source IP verification – stop spoofed packets leaving network

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped.

Description: NetBIOS defines a software interface and a naming convention. The NetBIOS name service uses port 137/udp.

Openly accessible NetBIOS name services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice: Blocking incoming connections to relate port on firewall. (Netbios services commonly used Port 137)

Description: NTP is short for Network Time Protocol. It is one of the standards for time synchronization in the Internet. Its purpose is to synchronize the clock of the computer to the international standard time, and the machine connected to the Internet will calibrate the time through the protocol.

NTP includes a monlist function, also known as MON_GETLIST, which is mainly used to monitor NTP servers. The monlist function has a security vulnerability. After the NTP server responds to the monlist, it returns the IPs of the last 600 clients that have performed time synchronization with the NTP server; the response packages are split every 6 IPs, and there will be up to 100 response packets eventually.

Security Advice:

A) Setting for NTP Server (Linux)

Method 1:

Method 2:

B) Setting for NTP Server (Windows)

This misconfiguration is not available on Windows Server.

C) Best Practice for Managing the Open NTP Servers

Use Multiple NTP Servers

The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.

This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.

Monitor Servers From The Client’s Perspective

Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.

Use NTP Encryption Options

The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.

Description: NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.
The NTP version command is a Mode 6 query for READVAR.

Security Advice:

A) Setting for NTP Server (Linux)

B) Setting for NTP Server (Windows)

This misconfiguration is not available on Windows Server.

C) Best Practice for Managing the Open NTP Servers

Use Multiple NTP Servers

The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.

This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.

Monitor Servers From The Client’s Perspective

Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.

Use NTP Encryption Options

The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.

Description: The Lightweight Directory Access Protocol (LDAP) is a networking protocol for accessing and maintaining distributed directory information services.
Openly accessible LDAP servers can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (LDAP services commonly used Port 389)

Description: Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. mDNS uses port 5353/udp.

Openly accessible mDNS services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the system or network the service is running on for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (mDNS commonly used Port 5353)

Description: This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.

These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (MS-SQL Server Resolution Service commonly used Port 1434)

Description: The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).

Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.

Security Advice:

Method 1:

Blocking incoming connections to relate port on firewall. (Portmapper commonly used Port 111)

Method 2:

The portmapper service can be disabled using the following command:
systemctl disable rpcbind
systemctl disable rpcbind.socket
systemctl stop rpcbind
systemctl stop rpcbind.socket

Method 3:

The portmapper service can be removed using the following command:
# apt-get remove rpcbin

Description: This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. Note, we are not testing to see if file upload is enabled.

Security Advice:

Blocking incoming connections to relate port on firewall. (TFTP commonly used Port 69)

Description: This report identifies hosts that have the Quote of the Day (QOTD) service running and accessible on the Internet.

These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The service is tested by sending a UDP packet containing a single carriage return to UDP port 17.

Security Advice:

Blocking incoming connections to relate port on firewall. (QOTD commonly used Port 17)

Description: The Simple Network Management Protocol (SNMP) is a networking protocol for device management and monitoring.

Openly accessible SNMP servers using the default ‘public’ community can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (SNMP commonly used Port 161)

Description: SSDP is used by some consumer-level equipment for network discovery. It does not have any real use on public servers and is used for reflection DDoS attacks on dedicated servers.

Security Advice:

Method 1:

Blocking incoming connections to relate port on firewall. (SSDP commonly used Port 1900)

Method 2:

If the SSDP server is not required, disable or deinstall it.
User following command: iptables -I INPUT 1 -p udp -m udp –dport 1900 -j DROP

Method 3:

The portmapper service can be removed using the following command:
# apt-get remove rpcbin

You may be interested in

Recovery phrase is a list of words randomly generated by your crypto wallet (e.g. MetaMask) during initial account setup. Recovery…

How to set up a Firewall A firewall helps defend against cyber attacks and data breaches through shielding computer or…

Cyber Security and Technology Crime Bureau, initiated a new wave of cyber hygiene operation to improve online security, maintain system…

Free Wi-Fi is provided in public places such as government public facilities, shopping malls Free Public Wi-Fi Free Wi-Fi is…

Welcome to subscribe

Please read our “Privacy Policy” carefully before filling out the form. For enquiries, please email to [email protected]

Declaration
We, Cyber Defender, collect your personal information including name, gender, and contact information (e.g. telephone number(s) and email address) only for the latest information-sharing proposal

* Must declare

Sign up for web hosting today!

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Subscribe successfully.
Please check your email.